lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue Jun 13 19:26:33 2006
From: Wu at AUX.UWM.EDU (Jacob Wu)
Subject: repeated port 21 attempts

I have received the suggestion that these attempts to connect to our ftp
server are actually attempts to connect to some anti-virus ftp server for
updates.  This is quite probable given that:

1.) When our client has a 10.x.x.x address all dns requests resolve to the
IP number of my server.
2.) After they register and have a "real" IP we switch them to a real DNS
server.

It is also possible that it could be a bot "calling home", but when we have
brought the computers down to our office and scanned them ourselves we can't
find anything on them.

I'm going to call this one done since the "attacks" seem to go away once we
give them a "real" IP.  Thanks to all.

-----Original Message-----
From: Andrew Farmer [mailto:andfarm@...il.com] 
Sent: Tuesday, June 13, 2006 12:49 PM
To: Jacob Wu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Re: [Full-disclosure] repeated port 21 attempts

On 6/13/06, Jacob Wu <Wu@....uwm.edu> wrote:
> They are all non routable 10.x.x.x IPs.  This is for a residence hall at
my
> University.  Residents, when they first turn on their computers, are given
a
> 10.x.x.x IP and made to register and agree with the network use policy.
> Once they do that they are given a "real" IP and thus access to the
> internet.

Are you doing something weird with DNS that's making this one machine's
address to show up on lookups, or messing with routing so that everything
gets redirected to this box?

If so, I'd wonder if this is some sort of bot that you're seeing
that's trying to
"call home" with FTP. It might behoove you to (kindly) ask the owner of one
of the machines to let you take a look at their machine to see what it's
doing.

> Someone sent me this link:
>> Try websnarf:  http://www.unixwiz.net/tools/websnarf-1.04
> But it gives me less information than iptables does.

You may have to modify it to better imitate an FTP server - it was written
for
use as a faux HTTP server. In particular, the client may be waiting for a
banner
and/or greeting before it makes a request.

Powered by blists - more mailing lists